Share:|

When EUEM components are deployed, they are communicating with each other in different ways. Let’s refer to the basic architecture of a simple deployment of EUEM.

 

euem-diagram.png

 

Let’s review each component roles

 

  • The Cloud Probe is the capture engine. It is capturing TCP/IP packets and is building objects (HTTP( and HTTPS request and response pairs) and extracts whatever data it is configured to. When objects are captured, they are sent to the Real User Collector.

 

  • The Real User Collector buffers those objects (several Cloud Probes may send data to one collector) for the Analyzer to consume (one or several Analyzers may get data from one Collector).

 

  • The Real User Analyzer retrieves data from one or more Real User Collectors and performs most of the processing.

 

 

All the communications between EUEM components occur on a secure channel using HTTPS. The same goes for managing EUEM by accessing its web interface.

 

The Collector and the Analyzer have their own built-in SSL certificates. When deployed a self-signed SSL certificate is generated for each component. Given that the authentication between each EUEM components is done via user accounts, there is no two-way SSL authentication as in other TrueSight Operations Management products.

 

Replacing a SSL certificate on any EUEM component does not impact the entire deployment and without causing any disruption in the way the product works. This means that one can use a signed certificate on an Analyzer and still use the self-signed certificate on the Collector without breaking the flow between the components. This also means that one does not have to change anything on the TrueSight Presentation Server for the Analyzer & TSPS integration or on the App Visibility Portal server when the App Visibility integration is configured.

 

As long as the configured SSL certificate is a valid and signed one, there is no problem!

 

The steps below are for the Real User Analyzer but the same procedure applies to the Real User Collector. Since there is no web UI for Cloud Probe, there is no SSL certificate on Cloud Probe to change.

 

EUEM is a Java application running on a Tomcat server.  Replacing the SSL certificate is very simple. The steps are

  1. Get a signed SSL certificate from a Certificate Authority and the original SSL private Key.
  2. Bundle them in a Java keystore format.
  3. Configure EUEM to use this keystore instead of the default one created at installation time.

 

Important notice: It is your responsibility to provide the Java keystore file. BMC is not responsible and will not provide help in generating it.

 

Configuring the Analyzer to use your keystore file

  1. Copy your keystore file to the Real User Analyzer server.
  2. Make a copy of the following file as a backup.
    1. $EUEM_HOME/analyzer/apache-tomcat/conf/server.xml
  3. Edit the server.xml file
  4. Look for the following lines. The first line is a pointer to the full pathname of your keystore file. The second line specifies the password (*) to that keystore.
    1. keystoreFile="${truesight.home}/conf/platform/security/keystore/java/keystore"
    2. keystorePass="tsPwDSt0r3"
  5. Restart the Real User Analyzer at your convenience to have the changes take effect.

 

If you have the Real User Collector deployed on the same system you have to repeat the steps as its SSL certificate configuration is separate.

 

 

(*) About storing the keystore password in clear text in the server.xml file. This is a constraint from the Tomcat design itself. This is best and fully described in the official Apache Tomcat FAQ.